Educate and train users.

. 

There is a complete lack of any training and education program. The organisation has not even recognised there is an issue to be addressed with respect to training and there is no communication on the issue.

Training and education result in an improvement of individual performance. Training and education are critical components of the employee career paths. Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. Processes have been refined and are under continuous improvement, taking advantage of best external practices and maturity modelling with other organisations. All problems and deviations are analysed for root causes and efficient action is expediently identified and taken. There is a positive attitude with respect to ethical conduct and system security principles. IT is used in an extensive, integrated and optimised manner to automate and provide tools for the training and education program. External training experts are leveraged and benchmarks are used for guidance.

There is a comprehensive training and education program that is focused on individual and corporate needs and yields measurable results. Responsibilities are clear and process ownership is established. Training and education is a component of employee career paths. Management supports and attends training and educational sessions. All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance by constantly reviewing and updating the training and education program and processes. Processes are under improvement and enforce best internal practices.

The training and education program has been institutionalised and communicated, and employees and managers identify and document training needs. Training and education processes have been standardised and documented. Budgets, resources, facilities and trainers are being established to support the training and education program. Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied.

There is awareness of the need for a training and education program and for associated processes throughout the organisation. Training is beginning to be identified in the individual performance plans of employees. Processes have developed to the stage where informal training and education classes are taught by different instructors, while covering the same subject matter with different approaches. Some of the classes address the issues of ethical conduct and system security awareness and practices. There is high reliance on the knowledge of individuals. However, there is consistent communication on the overall issues and the need to address them. 

There is evidence that the organisation has recognised the need for a training and education program, but there are no standardised processes. In the absence of an organised program, employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices. The overall management approach lacks any cohesion and there is only sporadic and inconsistent communication on issues and approaches to address training and education.